Why legacy access permissions need to be of greater concern for financial organisations

By Justin Jon Thorne, co-founder of Hydra

Security is the number one priority for all financial organisations. There’s not simply the universal issue of having client data to protect but the very tangible concern of money, making data breaches and cyber attacks a matter of paramount importance for any business operating within the financial sector. But while the protection of client data and internal security are matters of compliance and taken extremely seriously as such, other areas are more likely to be overlooked, including legacy access to external SaaS platforms.

SaaS platforms are deployed by almost every contemporary business, whether for marketing or technology, and their management is often outsourced. They’re a highly efficient and cost-effective way to manage a variety of essential tasks. But they also hold the potential to expose businesses to vulnerability.

Why do financial institutions need to be more aware of legacy access permissions?

Legacy access is something easily overlooked by financial organisations because it rarely relates to integral inhouse systems, where a simple overview of access permissions will almost always be available. The areas that cause problems are typically third-party SaaS, social media, and advertising platforms. Even if these are managed in-house, access permissions can be difficult to oversee, as each platform will have its own unique security protocols, most of which cannot be answered with the use of password vaults or similar. And while SSO, PAM and IAM platforms are typically routinely deployed within financial businesses, they are simply not compatible with many third-party sites, leaving financial institutions exposed.

What harm can come from legacy access permissions?

The failure to remove access permissions from people who no longer have legitimate reason to need them – whether ex-employees or the staff of an agency a business is no longer working with – can lead to a range of potential risks. For some, that risk will take the shape of reputational damage. As Burger King found, even if it’s clearly off-brand, a well-phrased tweet can draw enormous attention and alienate a sector of your audience – and no news spreads faster than a juicy reputation shattering story. For others, it may be sabotage, espionage, or the misappropriation of funds. They are all equally easy to perpetrate for someone with both access and an axe to grind, and can all take a lot of time and effort to recover from. And with so many external channels and SaaS platforms now employed by financial institutions, those risks are dramatically amplified.

And to increase the jeopardy even further, added to those risks, for financial organisations, there is the further concern of compliance, with GDPR and other regulatory standards to adhere to, the protection of customer privacy even more pressing than it has previously been.

Why is legacy access so difficult to manage?

Aside from the fact that there are so many different external channels now in play and that they are incompatible with standard management and security platforms, the security protocols of the individual platforms complicate legacy access permissions. With many social media platforms, for example, users can only access business services when they are linked to their own personal profiles. It can be hard for businesses to gain an overview of who has access to their accounts, making it even more difficult for large businesses with multiple account managers. And that’s not going to change until organisations begin adopting platforms that allow for the complete management of all third-party channels. Platforms that are capable of providing an holistic overview for the business, and a single point of entry for all users, where access permissions can be granted or rescinded quickly and easily, as soon as that access is no longer required.

The question of legacy access and accountability

When digital access is abused in any way, fingers are always pointed and the question of accountability raises its head. Because it’s never just the ostensible perpetrator responsible – it’s the person who should have prevented the legacy access from continuing. On the surface level, that could be the line manager in charge of that particular account, or their manager for failing to initiate the correct off-boarding processes. But there’s also an argument that many instances of technical failure should ultimately be the responsibility of the Chief Technical Officer – because unless the tools and the operational practices are in place for employees to use, mistakes will always be made.

Access permissions for third party and SaaS platform management are rarely considered to be as important as other cyber threats. But in the right set of circumstances, they can be almost as damaging, leading to loss and impacting customer trust. So, it’s time for financial organisations to take the threat more seriously, and to begin to implement processes to ensure that poor legacy access management isn’t the reason for a spike in brand awareness.

About the Author:

Justin Jon Thorne, co-founder of Hydra, an innovative SaaS platform providing agencies, brands and digital teams effortless monitoring and management of access to external channels. Providing a single access point to – and a complete overview of all access permissions across – the major social channels, analytics platforms, and ad accounts including Google, Meta and LinkedIn – enabling complete monitoring of contemporary and legacy access.